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100.010:   Authority 


These  regulations  in  Chapters  100  through  108  are  promulgated  pur- 
suant to  G.L.  c.  66A,  §  3,  as  appearing  in  St.  1975,  c.  776  and 
amended  by  St.  1977,  c.  691,  and  pursuant  to  G.L.  c.  18  §  10. 


100.020:   Scope 


These  regulations  in  Chapters  100  through  108  shall  govern  the 
collection,  maintenance  and  disclosure  of  personal  data  contained  in 
manual  or  computerized  personal  data  systems.   These  regulations  shall 
not  apply  to  criminal  offender  record  information,  intelligence  infor- 
mation or  evaluative  information,  as  defined  in  G.L.  c.  6,  I  167. 

100.030:  Application 

These  regulations  in  Chapters  100  through  108  shall  apply  to  all 
personal  data  systems  maintained  by  the  Department  of  Public  Welfare 
and  all  holders  as  defined  in  §  101.040  which  contract  with  the 
Department  of  Public  Welfare. 

100.040:   Department  of  Public  Welfare  Instructions 

The  Department  of  Public  Welfare  shall  issue  instructions  consistent 
with  these  regulations  and  with  G.L.  c.  66A  to  carry  out  the  purposes 
set  out  herein.   Such  instructions  shall  include,  but  need  not  be 
limited  to  the  following: 

(A)  procedures  for  obtaining  consent  from  a  data  subject  to  the  -grant- 
ing of  access  to  personal  data  concerning  him; 

(B)  general  authorizations  for  the  Department  of  Public  Welfare  to 
grant  access  to  personal  data  or,  with  the  consent  of  the  disclosing 
agency,  to  receive  personal  data,  without  the  consent  of  the  data 
subject,  to  the  extent  permitted  by  G.L.  c.  66A,  §  2  (c) ; 

(C)  procedures  for  maintaining  the  audit  trail  required  by  section 
103.060; 

(D)  procedures  governing  access  to  personal  data  by  data  subjects, 
whicht 

(1)  ensure  that  any  substitute  or  proxy  for  the  individual  data 
subject  be  duly  authorized  by  him; 

(2)  regulate  the  time  and  place  for  inspection  and  the  manner  of 
copying;  provided  that  the  time  for  inspection  shall  not  be  unduly 
restricted; 
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(3)  require  that  data  files  be  reviewed  in  the  presence  of  or  under 
the  supervision  of  an  employee  of  the  Department  of  Public 
Welfare;  and 

(4)  ensure  proper  identification  of  a  person  claiming  to  be  a  data 
subject. 

(E)  Procedures  governing  response  to  compulsory  legal  process,  as 
required  by  106  CMR  104.050; 

(F)  Interpretation  of  statutes  affecting  the  Department  of  Public  Welfare 
which  prohibit,  regulate  or  permit  access  to  personal  data;  and 

(G)  Procedures  for  obtaining  informed  consent  to  the  collection  of 
personal  data,  where  such  collection  is  not  mandated  by  law. 


100.050:   Policy  on  Fees 


Where  applicable,  fees  for  copying  records  shall  be  charged  in  accordance 

with  the  schedule  set  forth  in  106  CMR  100.060.  Fees  may  only  be  charged 

where  an  individual  requests  that  a  copy  be  made  of  the  record  to  which  he 
or  she  is  granted  access. 


100.060;   Fee  Schedule 


(A)  Except  as  provided  in  paragraph  (D),  the  Department  of  Public  Welfare 
shall  charge  a  fee  of  10  cents  per  page  for  photocopying  records 
susceptible  to  photocopying. 

(B)  Except  as  provided  in  paragraph  (D),  the  Department  of  Public  Welfare 
shall  charge  a  fee  substantially  equivalent  to  the  actual  cost  of 
reproduction  as  determined  by  the  responsible  Department  of  Public 
Welfare  employee  for  copying  records  not  susceptible  to  photocopying 
(e.g.,  punch  cards  or  magnetic  tapes).  Where  a  copy  of  the  record 
must  be  made  in  order  to  provide  access  to  the  record  (e.g. ,  computer 
printout  where  no  screen  reading  is  available),  the  copy  shall  be 
made  available  to  the  individual  without  cost. 

(C)  A  fee  reasonably  related  to  cost  may  be  charged  for  making  a  search 
of  a  system  of  records,  provided  that  such  fee  is  consistent  with  950 
CMR  32.06  of  the  Freedom  of  Information  Regulations  promulgated  by 
the  Supervisor  of  Public  Records  (effective  January  6,  1978). 

(D)  No  charge  will  be  made  if  the  total  fee  specified  in  106  CMR  100.060 
would  not  exceed  two  dollars. 
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100.070:   Payment  of  Fees 


Any  fee  due  under  section  100.060  shall  be  paid  in  advance  of  the 
receipt  of  copies  of  personal  data  by  check  or  money  order  made  pay- 
able to  the  Commonwealth  of  Massachusetts  and  delivered  to  the  respon- 
sible Department  of  Public  Welfare  employee,  but  payment  in  cash,  for 
which  a  receipt  shall  be  given,  shall  be  accepted  where  the  total  charge 
is  five  dollars  ($5)  or  less. 
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101.010:   Meaning  of  Terms 

As  used  in  Chapters  100  through  108  unless  the  context  otherwise  re- 
quires, the  following  terms  shall  have  the  following  meanings. 

101.020:   Department  of  Public  Welfare 

Hereafter,  the  Department  of  Public  Welfare  will  be  referred  to  only 
as  "department". 

101.030:   Data  Subject 

"Data  subject"  means  an  individual  to  whom  personal  data  refers. 

101.040:   Holder 

"Holder",  an  agency  which  collects,  uses,  maintains  or  disseminates 
personal  data  or  any  person  or  entity  which  contracts  or  has  an  arrange- 
ment with  an  agency  whereby  it  holds  personal  data  as  part  of  or  as  a 
result  of  performing  a  governmental  or  public  function  or  purpose.   A 
holder  which  is  not  an  agency  is  a  holder  only  with  respect  to  personal 
data  so  held  under  contract  or  arrangement  with  an  agency. 

101.050:   Holds 

"Holds"  means  collects,  maintains,  or  disseminates,  whether  manually, 
or  electronically. 

101.060:   Personal  Data 

"Personal  data"  means  any  information  concerning  an  individual  which, 
because  of  name,  identifying  number,  mark  or  description  can  be  readily 
associated  with  a  particular  individual;  provided,  however,  that  such 
information  is  not  contained  in  a  public  record  as  defined  in  §  101.090. 
"Personal  data"  shall  not  include  intelligence  information,  evaluative 
information  or  criminal  offender  record  information  as  defined  in  G.L. 
c.  6,  g  167. 

101.070:   Personal  Data  System 

"Personal  data  system"  means  a  system  of  records  containing  personal 
data,  which  system  is  organized  such  that  the  data  are  retrievable  by 
use  of  the  identity  of  the  data  subject. 
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101.080:   Personal  Identifier 

"Personal  identifier"  means  any  element  of  data  which  may  be  used  to 
fix  a  person's  identity  either  by  itself  or  when  combined  with  other 
data  accessible  to  the  holder  of  such  data  and  which  may  include,  but 
is  not  necessarily  limited  to:   name,  address,  social  security  number, 
date  of  birth,  race,  zip  code,  mother's  given  name,  mother's  maiden 
name,  or  any  part  of  the  mother's  given  or  maiden  name. 

101.090:   Public  Records 

"Public  records"  means  all  books,  papers,  maps,  photographs,  record- 
ed tapes,  financial  statements,  statistical  tabulations,  or  other  docu- 
mentary materials  or  data,  regardless  of  physical  form  or  characteristics, 
made  or  received  by  any  officer  or  employee  of  any  agency,  executive 
office,  department,  board,  commission,  bureau,  division  or  authority  of 
the  Commonwealth  or  of  any  political  subdivision  thereof,  or  of  any 
authority  established  by  the  general  court  to  serve  a  public  purpose, 
unless  such  materials  or  data  fall  within  the  following  exemptions  in 
that  they  are: 

(A)  specifically  or  by  necessary  implication  exempted  from  disclosure 
by  statute; 

(B)  related  solely  to  internal  personnel  rules  and  practices  of  the 
government  unit,  provided  however,  that  such  records  shall  be  withheld 
only  to  the  extent  that  proper  performance  of  necessary  governmental 
functions  requires  such  withholding; 

(C)  personnel  and  medical  files  or  information;  also  any  other  mat- 
erials or  data  relating  to  a  specifically  named  individual,  the  dis- 
closure of  which  may  constitute  an  unwarranted  invasion  of  personal 
privacy; 

(D)  inter-agency  or  intra-agency  memoranda  or  letters  relating  to 
policy  positions  being  developed  by  the  agency;  but  this  subparagraph 
shall  not  apply  to  reasonably  completed  factual  studies  or  reports  on 
which  the  development  of  such  policy  positions  has  been  or  may  be 
based; 

(E)  notebooks  and  other  materials  prepared  by  an  employee  of  the  Common- 
wealth which  are  personal  to  him  and  not  maintained  as  part  of  the 
files  of  the  governmental  units; 

(F)  investigatory  materials  necessarily  compiled  out  of  the  public 
view  by  law  enforcement  or  other  investigatory  officials  the  dis- 
closure of  which  materials  would  probably  so  prejudice  the  possibility 
of  effective  law  enforcement  that  such  disclosure  would  not  be  in  the 
public  interest; 
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(G)   trade  secrets  or  commercial  or  financial  information  voluntarily 
provided  to  an  agency  for  use  in  developing  governmental  policy  and 
upon  a  promise  of  confidentiality;  but  this  subparagraph  shall  not 
apply  to  information  submitted  as  required  by  law  or  as  a  condition 
of  receiving  a  governmental  contract  or  other  benefit; 

(H)   proposals  and  bids  to  enter  into  any  contract  or  agreement  until 
the  time  for  the  opening  of  bids  in  the  case  of  proposals  or  bids  to 
be  opened  publicly,  and  until  the  time  for  the  receipt  of  bids  or  pro- 
posals has  expired  in  all  other  cases;  and  inter-agency  or  intra- 
agency  communications  made  in  connection  with  an  evaluation  process 
for  reviewing  bids  or  proposals,  prior  to  a  decision  to  enter  into 
negotiations  with,  or  to  award  a  contract  to,  a  particular  person. 

(I)   appraisals  of  real  property  acquired  or  to  be  acquired  until 

(1)  a  final  agreement  is  entered  into;  or  (2)  any  litigation  relative 

to  such  appraisal  has  been  terminated;  or  (3)  the  time  within  which 
to  commence  such  litigation  has  expired. 
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102.010:   Officer  Designation 

The  department  shall  designate,  for  each  personal  data  system  it 
maintains,  a  person  to  serve  as  the  responsible  person  under  G.L.  c. 
66A,  §  2(a).   A  single  employee  may  serve  as  the  responsible  person 
for  more  than  one  such  system. 

102.020:   Duties  and  Responsibilities 

The  officer  described  in  section  102.010  shall,  with  respect  to 
the  system  or  systems  for  which  he  is  immediately  responsible: 

(A)  ensure  that  the  requirements  of  G.L.  c.  66A  and  of  these 
regulations  for  preventing  unauthorized  access  to  personal  data  are 
followed; 

(B)  receive  complaints  and  objections;  and 

(C)  answer  questions. 
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103.010:   Agreements  with  Holders  of  Personal  Data 

(A)  The  department  shall  not  permit  any  person  or  entity  to  hold  per- 
sonal data  as  part  of  or  as  a  result  of  performing,  on  behalf  of  such 
agency,  a  governmental  or  public  function  or  purpose,  unless: 

(1)  the  department  has  informed  such  person  or  entity  that  it  is 

a  holder  of  personal  data,  as  defined  by  section  101.040,  and  subject 
to  the  provisions  of  G.L.  c.  66A,  §  2;  and 

(2)  such  person  or  entity  has  agreed  to  conform  to  the  obligations 
of  the  department  set  out  in  Chapters  103,  105,  106,  sections  104. 
010  through  104.050  of  Chapter  104  and  sections  107.030  through  107. 
050  of  Chapter  107  of  these  regulations. 

(B)  Any  contract  or  agreement  between  the  department  and  a  person  or 
entity  under  which  such  person  or  entity  will  hold  personal  data  as  part 
of  or  as  a  result  of  performing  a  governmental  or  public  function  or 
purpose  shall,  by  its  terms,  obligate  such  person  or  entity  to  conform 
to  the  obligations  of  the  department  set  out  in  Chapters  103,  105,  106, 
sections  104.010  through  104.050  of  Chapter  104  and  sections  107.030 
through  107.050  of  Chapter  107  of  these  regulations  and  shall  provide 
further  that  failure  to  so  conform  to  such  obligations  shall  be  grounds 
for  terminating  such  contract  or  agreement. 

(C)  The  department  may,  without  the  consent  of  the  data  subject,  have 
access  to  personal  data  held  pursuant  to  its  contract  or  agreement  with 
a  person  or  entity  under  which  such  person  or  entity  will  hold  personal 
data  as  part  of  or  as  a  result  of  performing  a  governmental  or  public 
function  or  purpose;  provided,  that  such  contract  or  agreement  shall 
provide  for  such  access  on  behalf  of  the  Department. 

103.020:   Personnel  Training 

The  department  shall  periodically  inform  all  of  its  employees  who  have 
responsibilities  or  functions  for  the  design,  development,  operation,  or 
maintenance  of  a  personal  data  system  or  the  use  of  personal  data  therein, 
of  the  provisions  of  these  regulations  and  of  the  civil  remedies  described 
in  G.L.  c.  214,  §  3B,  available  to  individuals  whose  rights  under  G.L.  c. 
66A  are  allegedly  violated,  and  shall  use  its  best  efforts  to  assure  that 
such  employees  understand  and  comply  with  these  regulations. 

103.030:   Physical  Security 

The  department  shall  take  all  reasonable  steps  for  the  protection  of 
data  from  physical  damage  or  unauthorized  removal,  including  procedures, 
where  feasible  and  appropriate,  providing  for: 

(A)   adequate  fire  detection  and  extinguishing  systems; 
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(B)  protection  against  water  and  smoke  damage; 

(C)  water  tight  facilities- 
CD)   alarm  systems,  safes  and  locked  files,  window  bars,  security 
guards  or  any  other  devices  reasonably  expected  to  prevent  loss  through 
larceny  or  other  means  of  unauthorized  removal  for  manually  held  data, 
including  files,  tapes,  cards  and  like  materials;  and 

(E)   passwords,  keys,  badges,  access  logs,  or  other  methods  reasonably 
expected  to  prevent  loss  through  larceny  or  other  means  of  unauthorized 
removal  for  mechanically  or  electronically  held  data. 

103.040:   Duplicate  Files 

(A)  The  department  shall  ensure  that  the  number  of  duplicate  files  of 
personal  data  is  maintained  at  an  absolute  minimum. 

(B)  The  department  shall  ensure  that  all  duplicate  file  systems  are 
maintained  consistent  with  the  requirements  of  these  regulations. 

103.050:   Notice  and  Annual  Report  to  the  Secretary  of  State 

The  department  shall,  by  September  1,  1976  and  annually  thereafter, 
and  upon  the  subsequent  establishment,  termination,  or  change  in 
character  of  a  personal  data  system,  file  a  report  with  the  Secretary  of 
State  regarding  each  personal  data  system  it  operates.   Such  report  shall 
be  maintained  by  the  department  as  a  public  record.   Such  report  shall 
include,  but  not  necessarily  be  limited  to  the  following  information: 

(A)  the  name  of  the  system  and  the  title  and  address  of  the  person  in 
charge  of  it; 

(B)  the  nature  and  purpose  of  the  system; 

(C)  the  identification  of  the  types,  categories,  uses  and  sources  of 
data  held  in  the  system; 

(D)  the  approximate  number  of  individuals  about  whom  data  is  held  in 
the  system; 

(E)  whether  and  to  what  extent  the  data  is  held  in  computerized  form; 

(F)  a  description  of  each  person  and  organization  having  access  to 
the  system; 

(G)  a  description  of  the  policies  and  practices  of  the  agency  with 
regard  to  data  maintenance,  retention,  and  disposal; 
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(H)   a  description  of  the  manner  in  which  any  individual  who  believes 
that  data  about  him  is  held  in  the  system,  may  have  a  search  made 
and,  if  such  data  is  so  held,  may  inspect,  copy,  and  object  to  it 
as  provided  in  these  regulations;  and 

(I)   a  description  of  other  actions  taken  to  comply  with  these  regula- 
tions and  Massachusetts  Law,  particularly  G.L.  c.  66A. 

103.060:  Audit  Trail 

The  department  shall  maintain,  as  an  audit  trail,  records  which  show 
any  access  to  or  use  of  personal  data  which  the  department  holds  by 
persons  or  organizations  outside  of  the  department.   The  department  need 
not  record  in  the  audit  trail  any  such  access  or  use  by  its  employees 
acting  within  their  official  duties.   In  the  case  of  personal  data 
systems  in  which  personal  data  is  stored,  in  whole  or  in  part,  in  a 
computer  or  in  electronically  controlled  or  accessible  files,  the  audit 
trail  shall  include  a  complete  and  accurate  record  of  every  disclosure 
of  personal  data,  including  the  identity  of  all  persons  and  organiza- 
tions to  whom  such  access  or  use  has  been  granted  and  their  declared 
intentions  regarding  the  use  of  such  personal  data.   The  data  subject 
need  not  declare  her/his  intentions  regarding  the  use  of  such  personal 
data.   In  the  case  of  all  other  personal  data  systems,  the  audit  trail 
shall  include  such  information  to  the  maximum  extent  feasible.   The 
audit  trail  shall  be  deemed  part  of  the  data  to  which  it  relates  for 
all  purposes  under  these  regulations. 

103.070:   Limitation  on  Collection  of  Personal  Data 

The  department  shall  collect  and  maintain  only  those  personal  data 
which  are  reasonably  necessary  for  the  performance  of  its  statutory 
functions. 

103.080:   Destruction  of  Obsolete  Personal  Data 

Pursuant  to  G.L.  c.  30,  §  42,  the  department  shall  develop  and 
implement,  with  the  approval  of  the  Records  Conservation  Board,  a  plan 
for  the  destruction  of  obsolete  data.   As  part  of  such  implementation, 
each  agency  shall  periodically  review  all  personal  data  systems  for  the 
purpose  of  destroying  obsolete  personal  data. 
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104.010:   Regulation  of  Access  to  Personal  Data 

Except  as  provided  in  section  104.020,  the  department  shall  not  per- 
mit access  to  personal  data  to  any  person  other  than  an  employee  of  the 
department  or  the  data  subject  unless  such  access  is  authorized  by 
state  or  federal  statute  or  regulation  consistent  with  the  purposes  of 
these  regulations  or  is  approved  by  the  data  subject  whose  personal 
data  is  sought. 

104.020:   Accuracy  of  Released  Personal  Data 

Where  access  to  personal  data  is  authorized  pursuant  to  this  Chapter, 
with  or  without  the  approval  of  the  data  subject,  the  department  shall 
release  such  data  in  the  most  accurate  form  possible.   If  the  department 
has  reason  to  believe  that  personal  data  may  be  inaccurate,  it  shall 
either  verify  such  data  prior  to  release  or  state  at  the  time  of  such 
release  that  the  data  may  be  inaccurate. 

104.030:   Exception  for  Medical  or  Psychiatric  Emergencies 

Where  release  of  personal  data  is  not  generally  authorized  by  statute 
or  regulation,  medical  or  psychiatric  data  may  be  made  available  to  a 
physician  treating  a  data  subject,  upon  the  request  of  said  physician, 
if  a  medical  or  psychiatric  emergency  arises  which  precludes  the  data 
subject  giving  approval  for  the  release  of  such  data;  provided,  however, 
that  the  department  shall  give  notice  of  the  fact  of  such  release  to  the 
data  subject  upon  termination  of  the  emergency. 

104.040:   Approval  by  Data  Subject 

The  approval  of  a  data  subject  prior  to  granting  access  as  required 
by  section  104.010  may  be  granted  in  writing  or  orally,  including  by 
telephone;  provided,  that  the  department  shall  make  reasonable  efforts 
to  verify  the  identity  of  the  data  subject;  and,  provided  further,  that 
the  department  shall,  if  no  written  consent  is  given,  make  a  notation 
of  an  oral  approval  and  shall  file  such  notation  with  the  personal  data 
held. 

104.050:   Response  to  Compulsory  Legal  Process 

The  department  shall,  as  required  by  G.L.  c.  66A,  §  2(k),  maintain 
procedures  to  ensure  that  no  personal  data  are  made  available  from  its 
personal  data  systems  in  response  to  a  demand  for  data  made  by  means  of 
compulsory  legal  process  unless  the  data  subject  has  been  notified  of 
such  demand  in  reasonable  time  that  he  may  seek  to  have  the  process 
quashed.   To  fulfill  this  requirement,  the  procedures  of  the  department 
shall  include: 
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(A)  an  explanation  to  department  personnel  of  the  service  of  subpoenas 
under  Rule  45  of  the  Rules  of  Civil  Procedure  (for  civil  litigation  in 
state  and  federal  courts),  G.L.  c.  233,  §§  1-6  (for  criminal  litigation 
in  state  courts,)  Rule  17  of  the  Rules  of  Criminal  Procedure  for  the 
United  States  District  Courts  (for  criminal  litigation  in  the  federal 
courts)  and  G.L.  c.  30A  §  12  (for  adjudicatory  proceedings  before 
state  agencies) ; 

(B)  a  requirement  that  service  of  a  subpoena  which  names  a  department 
officer  or  employee  will  be  accepted  on  behalf  of  said  officer  or 
employee  by  any  other  individual  only  if  such  acceptance  occurs  at 
least  three  business  days  prior  to  and  not  including  the  day  on  which 
the  attendance  of  said  officer  or  employee  is  demanded; 

(C)  instructions  to  attempt  in  all  cases  to  negotiate  with  the  person 
causing  the  subpoena  to  be  served  with  a  view  to  avoiding  the  appearance 
or,  if  an  appearance  is  necessary,  narrowing  the  scope  of  the  subpoena 
to  those  matters  truly  required;  and 

(D)  a  requirement  that  the  data  subject  be  notified  no  later  than  the 
next  business  day  following  the  day  on  which  the  subpoena  is  served. 

104.060:   Scope  of  Sections  104.060  through  104.110 

Neither  G.L.  c.  66A  nor  these  regulations  alter  the  requirements  of 
the  Freedom  of  Information  Act,  G.L.  c.  66,  §  10,  that  agencies  must 
grant  access  by  members  of  the  public  to  all  public  records.   An  agency's 
determination  of  whether  or  not  to  release  a  record  often  hinges  on 
whether  or  not  that  record  is  a  public  record. 

Among  the  exemptions  listed  in  the  definition  of  "public  record"  is 
one  for  records  the  disclosure  of  which  may  constitute  an  unwarranted 
invasion  of  personal  privacy.   The  rules  and  examples  set  out  in  this 
Chapter  are  intended  to  aid  agencies  in  identifying  such  invasions  as 
part  of  the  process  of  identifying  public  records. 

104.070:   Access  to  Public  Records 

Pursuant  to  G.L.  c.  66,  §  10,  an  agency  must  grant  access  upon  re- 
quest, without  the  consent  of  the  data  subject,  to  any  personal  data 
which  is  a  public  record  as  defined  in  section  101.090.   Each  agency 
must  establish  a  procedure  for  resolving  questions  within  such  agency 
regarding  the  identification  of  public  records.   Such  procedure  must 
be  consistent  with  AB  74-17,  Regulations  on  Freedom  of  Information, 
promulgated  by  the  Commissioner  of  Administration  pursuant  to  G.L.  c. 
7,  §§  3  and  4. 
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104.080:  Unwarranted  Invasion  of  Personal  Privacy:   General  Rule 

If  the  disclosure  of  personal  data  may  constitute  an  unwarranted  in- 
vasion of  personal  privacy,  the  personal  data  is  not  a  public  record. 
In  general,  disclosure  of  personal  data  may  constitute  an  unwarranted 
invasion  of  privacy  when: 

(A)  the  personal  data  is  not  of  common  knowledge,  not  of  public  record, 
and  not  in  public  view; 

(B)  disclosure  will  more  likely  than  not  be  embarrassing  or  offensive 
to  the  data  subject;  and 

(C)  there  is  no  legitimate  public  interest  in  disclosure  sufficient 
to  outweigh  the  potentially  embarrassing  or  offensive  nature  of  the 
disclosure. 

104.090:   Unwarranted  Invasion  of  Personal  Privacy:   Examples 

In  implementing  section  104.080,  the  department  shall  consider  the 
examples  in  the  remainder  of  this  Chapter. 

104.100:   Disclosures  Not  Constituting  an  Unwarranted  Invasion 

Disclosure  to  the  public  of  personal  data  in  the  following  situations 
is  not  normally  an  unwarranted  invasion  of  privacy: 

(A)  Disclosure  of  an  unverified,  citizen's  complaint  concerning  the 
professional  conduct  of  a  health  professional. 

(B)  Disclosure  of  a  license  survey  report  which  includes  evaluative 
materials  concerning  the  professional  conduct  of  a  health  professional. 

Explanation:   Clauses  (A)  and  (B)  of  section  104.080  may  be  satisfied 
in  examples  (A)  and  (B)  above.   However,  the  public  has  a  legitimate 
interest  in  learning  of  improper  professional  conduct  which  may  affect 
the  quality  of  health  care  provided  to  the  public,  and  this  public 
interest  in  disclosure  will  normally  outweigh  the  potentially  embarrassing 
nature  of  the  disclosure.   In  order  to  disclose  the  personal  data  in  the 
most  accurate  form  possible,  the  agency  should  accompany  the  disclosure 
of  an  unverified  complaint  with  an  explanation  that  the  complaint  is 
unverified  and,  if  an  investigation  is  planned  or  in  progress,  the  date 
by  which  such  investigations  will  be  completed. 

(C)  Disclosure  of  an  intra-agency  memorandum  which  concludes  that  an 
agency  employee  has  performed  his  administrative  duties  improperly,  and 
such  administrative  duties  affect  the  quality  of  services  to  the  public. 
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Explanation:   Clauses  (A)  and  (B)  of  section  104.080  may  be  satis- 
fied.  However,  the  public's  legitimate  interest  in  information  re- 
lating to  the  quality  of  services  of  a  public  agency  will  normally 
outweigh  the  potentially  embarrassing  nature  of  the  disclosure. 
An  employment  relationship  between  an  employee  and  the  agency  will 
not  normally  preclude  the  agency  from  disclosure  of  this  information. 

(D)  Disclosure  of  embarrassing  information  contained  in  an  affidavit 
filed  in  court  in  connection  with  a  law  suit. 

(E)  Disclosure  of  embarrassing  information  which  has  recently  been 
published  in  a  local  newspaper  of  general  circulation. 

Explanation:   Clause  (A)  of  section  104.080  is  not  satisfied  in 
examples  (D)  and  (E)  because  the  information  in  example  (D)  is  a  public 
record  and  the  information  in  example  (E)  is  common  knowledge. 

104.110:   Disclosure  Constituting  an  Unwarranted  Invasion 

Disclosure  to  the  public  of  personal  data  in  the  following  situations 
is  normally  an  unwarranted  invasion  of  personal  privacy: 

(A)  Disclosure  of  information  from  the  records  of  a  client. 

Explanation:   Clauses  (A) , (B)  and  (C)  of  section  104.080  are  normally 
satisfied.   Any  legitimate  public  interest  can  be  served  by  aggregating 
data  in  statistical  form. 

(B)  Disclosure  of  the  resume  of  or  evaluative  materials  on  an  appli- 
cant for  employment  by  the  Department. 

Explanation:   Clauses  (A),  (B)  and  (C)  of  section  104.080  are  nor- 
mally satisfied  with  regard  to  such  information  if  disclosure  is  poten- 
tially embarrassing  or  offensive.   However,  in  some  situations,  for 
example,  where  the  applicant  seeks  a  particularly  high-level  position 
and  the  information  is  relevant  to  the  applicant's  ability  to  carry  out 
the  responsibilities  of  this  position,  the  legitimate  public  interest 
in  disclosure  may  outweigh  the  embarrassing  nature  of  the  disclosure, 
in  which  case  disclosure  may  not  constitute  an  unwarranted  invasion  of 
privacy. 

(C)  Disclosure  of  embarrassing  information  concerning  the  personal 
life  of  an  employee  where  such  information  is  marginally  related  to  the 
ability  of  the  employee  to  carry  out  the  responsibilities  of  his  position, 

Explanation:   Normally,  clauses  (A),  (B)  and  (C)  of  section  104.080 
are  satisfied.   In  this  example  the  public's  legitimate  interest  in 
disclosure  does  not  outweigh  the  embarrassing  nature  of  the  disclosure. 
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104.120;  Disclosure  to  Investigative  Agents  of  the  Attorney  General  or  the  State 
Ethics  Commission 

The  Department  may  give  access  to  personal  data  it  holds  to  author- 
ized investigative  agents  of  the  Attorney  General  or  of  the  State 
Ethics  Commission  acting  in  furtherance  of  their  official  duties. 
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105.010:   Public  Inquiry: 

Where  an  individual  has  reason  to  believe  that  personal  data  relating 
to  him  is  held,  but  where  the  specific  agency  which  holds  such  data  is 
unknown  to  him,  the  individual  may  request,  in  writing,  that  the 
Secretary  of  Human  Services  or  his  designee  locate  all  personal  data 
held  in  personal  data  systems  by  all  agencies  under  the  Secretary  of 
Human  Services.   Said  Secretary  or  his  designee  shall  make  a  reasonable 
effort  to  locate  all  such  personal  data.   Said  Secretary  shall  respond 
to  such  request  within  twenty  (20)  days. 

105.020:   Request  of  Individual  for  Notification  of  Holding 

The  department  shall  inform  any  individual  in  writing,  within  twenty 
(20)  days  of  receipt  of  a  request,  whether  it  maintains  in  a  personal 
data  system  any  personal  data  concerning  such  individual. 

105.030:   Right  of  Data  Subject  to  Access 

Unless  access  by  a  data  subject  is  prohibited  by  statute,  the  depart- 
ment shall,  as  promptly  as  possible,  but  in  any  event  within  twenty  (20) 
days  of  receipt  of  a  request,  grant  access  to  any  data  subject  to  any 
personal  data  concerning  him  which  it  holds  in  a  personal  data  system. 
In  addition,  such  data  subject  shall  have  the  right  to  inspect  and  to 
copy  any  personal  data  to  which  he  has  access,  subject  to  any  rules 
established  under  section  100.060. 

If  a  data  subject  is  otherwise  entitled  to  access  to  personal  data 
pursuant  to  these  regulations,  the  department  shall  not  deny  such  data  sub- 
ject access  to  such  data  solely  because  such  data  are  not  public  records 
as  defined  in  section  101.090. 

105.040:   Release  of  Personal  Data  Pursuant  to  Request  of  Data  Subject 

As  promptly  as  possible,  but  in  any  event  within  twenty  (20)  days 
of  receipt  of  a  request,  the  department  shall,  if  practicable,  release 
personal  data  to  a  third  party  designated  by  a  data  subject,  subject  to 
any  rules  established  under  section  100.060. 

105.050:   Removal  of  Third  Party  Identifiers  From  Data  Released  to  Data  Subjects 

The  department  shall  remove  from  any  personal  data  to  which  access 
is  granted  pursuant  to  section  105.030  or  which  is  released  by  the 
department  pursuant  to  section  105.040,  any  personal  identifiers  re- 
lating to  a  third  person,  except  where  such  third  person  is  an  officer 
or  employee  of  government  acting  as  such  and  the  data  subject  is  not. 
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105.060:   Withholding  Information  Which  is  Under  Investigation 

The  department  may  deny  access  to  a  data  subject  to  personal  data 
which  is  at  the  time  of  the  request  for  access  the  subject  of  an 
investigation  if  such  access  would  probably  so  prejudice  the  possibi- 
lity of  effective  lav;  enforcement  that  such  access  would  not  be  in  the 
public  interest;  provided,  that  such  denial  of  access  shall  not  in  any 
way  affect  a  data  subject's  rights  under  administrative  or  judicial 
discovery  procedures.   Such  access  may  be  denied  until  such  investiga- 
tion has  been  completed  and  any  resultant  administrative  or  judicial 
proceeding  commenced  or  one  year  from  the  commencement  of  such 
investigation,  whichever  is  sooner. 

105.070:   Notification  of  Denial  of  Access  to  Data 

The  department  shall,  within  twenty  (20)  days  of  receipt  of  a  re- 
quest, notify  in  writing  any  individual,  in  terms  comprehensible  to 
him,  of  its  denial  of  his  request  for  access,  the  reasons  therefore, 
and  the  rights  of  appeal  set  forth  in  Chapter  107. 


105.080:   Rights  of  Minors 


Unless  otherwise  provided  by  law,  rights  and  powers  granted  to  a 
data  subject  under  these  regulations  shall  apply: 

(A)  exclusively  to  a  data  subject  if  he  has  attained  the  age  of  18; 

(B)  to  both  the  data  subject  and  his  parents,  parent  or  guardians  or 
either  one  acting  alone,  if  the  data  subject  has  attained  the  age  of 
1A  but  not  the  age  of  18;  and 

(C)  exclusively  to  the  data  subject's  parents,  parent  or  guardian  if 
the  data  subject  has  not  yet  attained  the  age  of  14; 

provided,  however,  that  in  any  situation  where  in  the  reasonable  jud- 
gment of  the  department  the  interests  of  a  parent  or  guardian  are  sub- 
stantially adverse  to  those  of  a  child  about  whom  personal  data  are 
held,  the  department  may  deny  exercise  of  any  right  or  power  to  such 
parent  or  guardian  and  effectuate  alternative  means  for  safeguarding 
the  exercise  of  such  right  and  power  for,  or  on  behalf  of,  such  child. 

Any  parent  or  guardian  denied  pursuant  to  this  section  the  exercise 
of  any  right  or  power  may  appeal  such  denial  under  Chapter  107  of  these 
regulations. 
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106.010;   Objections  by  Data  Subjects 

A  data  subject  who  objects  to  the  collection,  maintenance,  dissemina- 
tion, use,  accuracy,  completeness  or  type  of  personal  data  held  regard- 
ing him,  may  file  an  objection  with  the  officer  in  charge  of  the  personal 
data  system  complained  against  designated  pursuant  to  section  102.010. 
Should  said  officer  be  unavailable,  the  data  subject  may  make  his 
objections  to  the  Commissioner  of  Public  Welfare. 

106.020:   Duties  of  Responsible  Officer  Pursuant  to  Objection 

The  officer  responsible  for  a  data  system  shall,  within  thirty  (30) 
days  of  the  receipt  of  an  objection: 

(A)  investigate  the  valdity  of  the  objection; 

(B)  if,  after  the  investigation  — 

(1)  the  objection  is  found  to  be  meritorious,  correct  the  contents 
of  the  data  or  the  methods  for  holding  or  the  use  of  such  data; 

or 

(2)  the  objection  is  found  to  lack  merit,  provide  the  data  subject 
the  opportunity  to  have  a  statement  reflecting  his  views  recorded 
and  disseminated  with  the  data  in  question;  and 

(C)  notify  the  data  subject  in  writing  of  his  decision  and  send  a  copy 
of  such  decision  to  the  Commissioner  or  his  designee. 
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107.010:   Appeal  of  Department  Denial  of  Access  or  Decision  of  Responsible  Officer 

Any  data  subject  who  wishes  to  challenge  either  the  department  denial, 
pursuant  to  section  105.070,  of  his  request  for  access  or  the  decision 
of  the  officer  in  charge  of  a  personal  data  system  pursuant  to  section 
106.020  may  appeal  such  denial  or  decision  to  the  Commissioner  of 
Public  Welfare.   Such  appeal  shall  be  filed  in  writing  within  thirty 
(30)  days  of  the  data  subject's  receipt  of  notification  of  the  agency 
denial  or  the  decision  of  the  officer. 

107.020:   Appeal  to  the  Commissioner  or  His  Designee 

The  Commissioner  or  his  designee  hearing  an  appeal  filed  pursuant 
to  section  107.010  shall,  at  the  request  of  the  appellant  data  subject, 
convene  an  adjudicatory  hearing,  pursuant  to  Chapter  30A  of  the  General 
Laws,  within  thirty  (30)  days  of  the  filing  of  such  appeal,  and  shall 
render  a  decision  on  the  merits  within  thirty  (30)  days  of  the  conclu- 
sion of  such  hearing.   Within  seven  (7)  days  of  rendering  his  decision, 
the  Commissioner  or  his  designee  shall  send  written  notification  to  the 
appellant  data  subject  and  to  the  appellee  responsible  officer  regard- 
ing the  nature  of  the  decision  and  the  reasons  therefor.   If  such 
decision  is  adverse  to  the  data  subject,  such  notification  shall  in- 
clude notice,  in  terms  comprehensible  to  the  data  subject,  of  the  right 
of  the  data  subject  to  further  review  pursuant  to  section  107.030. 

107.030:   Appeal  to  Executive  Office  of  Human  Services 

(A)  Any  data  subject  who  wishes  to  challenge  the  decision  of  the 
Commissioner  rendered  pursuant  to  section  107.020,  may  appeal  such  de- 
cision to  the  Secretary  of  Human  Services  or  his  designee.   Such  appeal 
shall  be  filed  in  writing  within  thirty  (30)  days  of  the  data  subject's 
receipt  of  notification  of  the  decision  of  the  Commissioner. 

(B)  In  hearing  an  appeal  under  this  section,  the  Secretary  or  his 
designee  shall  limit  his  review  to  an  interpretation  of  the  relevant 
statutes  and  regulations  and  their  application  to  the  facts  in  each  case 
being  appealed.   The  Secretary  or  his  designee  shall  not  review,  in  any 
way,  the  decision  of  the  Commissioner  with  regard  to  the  factual  issues 
in  each  case.   The  Secretary  or  his  designee  may,  at  his  discretion, 
conduct  a  hearing,  on  terms  and  in  a  format  which  he  deems  appropriate, 
for  the  purpose  of  receiving  arguments  on  issues  which  he  deems  perti- 
nent to  his  review.   The  Secretary  or  his  designee  shall  convene  such 
hearing,  if  at  all,  within  thirty  (30)  days  of  the  filing  of  the  appeal. 

(C)  The  Secretary  or  his  designee  shall  render  a  decision  within  thirty 
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C30)  days  of  the  filing  of  the  appeal  or  within  thirty  (30)  days  of 
the  conclusion  of  the  hearing,  if  any,  whichever  is  later.   The 
Secretary  or  his  designee  shall  send  written  notification  to  the  appel- 
lant data  subject  and  to  the  Commissioner  of  his  decision  and  the 
reasons  therefor. 

(D)   A  decision  rendered  pursuant  to  section  107.030(C)  shall  be  the 
final  and  conclusive  administrative  determination  of  the  issues  in  con- 
trovery  in  each  case. 

107.040:   Failure  To  Render  A  Decision 

Any  failure  to  render  a  decision  at  any  stage  of  the  appeal  process 
within  the  time  periods  set  out  in  this  Chapter  shall  result  in  a 
decision  favorable  to  the  appellant  data  subject,  except  that  the  time 
periods  may  be  extended  by  agreement  between  the  data  subject  and  the 
department . 

107.050:   Judicial  Relief 

The  procedure  established  by  section  107.030  shall  constitute  an 
additional  remedy  which  may  be  employed  or  abandoned  at  any  time  in 
favor  of  the  judicia.1  remedy  provided  by  G.L.c.  214,  §  3B,  the  depart- 
ment shall  not  interpose  any  defense  of  failure  to  exhaust  administra- 
tive remedies  in  case  of  any  r.ivil  action  pursuant  to  said  §  3B  for 
failure  to  use  the  section  107.030  procedure. 
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108.010:   Sanctions 

(A)  Any  employee  of  the  department  found  breaching  the  confidentiality 
of  data  subjects  through  violation  of  these  regulations  shall  be  sub- 
ject to  reprimand,  suspension,  dismissal,  or  other  disciplinary  actions 
by  the  department  consistent  with  the  rules  and  regulations  of  the 
Commonwealth  governing  its  employees,  and  may  be  denied  future  contact 
with  personal  data  and  removed  from  holding  responsibility. 

(B)  Any  agency  which  violates  the  terms  of  these  regulations  may  be 
liable  to  individuals  injured,  pursuant  to  G.L.  c.  214,  §  3B,  as  added 
by  St.  1975,  c.  776  §  3,  and  the  legal  action  to  enjoin  such  violations 
brought  by  the  Attorney  General. 

(C)  Any  entity  other  than  an  agency  which  violates  a  contract  with  an 
agency  is  subject  to  the  penalty  provisions  of  the  contract  and  may 
forfeit  the  rights  in  contract  with  that  of  any  other  agency.   If  an 
action  is  brought  against  an  agency  under  G.L.  c.  214,  §  3B,  for  any 
violation  for  which  any  entity  other  than  the  defendant  agency  may  be 
liable,  said  entity  may  be  impleaded  as  a  third-part  defendent.   Any 
entity  other  than  an  agency  which  violates  any  provision  of  these 
regulations  shall  be  subject  to  a  review  and  an  investigation  by  the 
appropriate  contracting  agency,  which  may  lead  to  suspension  of  any 
contractual  relationship  and  to  legal  sanctions  brought  by  the  Attorney 
General. 

108.020:   Monitoring  and  Enforcement 

(A)  The  Commissioner  of  Public  Welfare  or  his  designees,  shall  be 
responsible  for  the  monitoring  of  compliance  with  these  regulations  in 
cooperation  with  the  Department  of  the  Attorney  General  pursuant  to 
G.L.  c.  214,  §  3B,  as  added  by  St.  1975,  c.  776,  §  3. 

(B)  The  Commissioner  of  Administration  or  his  designee  pursuant  to  G.L, 
c.  66A  §  3,  as  added  by  St.  1975,  c.  776,  §  1,  is  responsible  for 
approving  these  regulations. 


> 


» 


! 


